https://github.com/microsoft/krabsetw
KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
https://github.com/microsoft/krabsetw
etw krabs nuget-packages wrapper
Last synced: 6 months ago
JSON representation
KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
- Host: GitHub
- URL: https://github.com/microsoft/krabsetw
- Owner: microsoft
- License: other
- Created: 2016-10-24T17:38:49.000Z (about 9 years ago)
- Default Branch: master
- Last Pushed: 2025-03-10T21:16:59.000Z (8 months ago)
- Last Synced: 2025-05-07T23:46:59.403Z (6 months ago)
- Topics: etw, krabs, nuget-packages, wrapper
- Language: C++
- Homepage:
- Size: 2.28 MB
- Stars: 652
- Watchers: 41
- Forks: 157
- Open Issues: 42
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-reverse-engineering - **249**星 - level ETW trace consumption functions. (<a id="ac43a3ce5a889d8b18cf22acb6c31a72"></a>ETW / <a id="0af4bd8ca0fd27c9381a2d1fa8b71a1f"></a>工具)
README
Overview
========
**krabsetw** is a C++ library that simplifies interacting with ETW. It allows for any number of traces and providers to be enabled and for client code to register for event notifications from these traces.
**krabsetw** also provides code to simplify parsing generic event data into strongly typed data types.
**Microsoft.O365.Security.Native.ETW** is a C++ CLI (.NET) wrapper around **krabsetw**. It provides the same functionality as **krabsetw** to .NET applications and is used in production by the Office 365 Security team. It's affectionately referred to as **Lobsters**.
Examples & Documentation
========
* An [ETW Primer](docs/EtwPrimer.md).
* Simple examples can be found in the `examples` folder.
* Please refer to [KrabsExample.md](docs/KrabsExample.md) and [LobstersExample.md](docs/LobstersExample.md) for detailed examples.
* SampleKrabsCSharpExe is a non-trivial example demonstrating how to manage the trace objects.
* [Using Message Analyzer to find new ETW event sources.](docs/UsingMessageAnalyzerToFindETWSources.md)
Important Notes
==============
* `krabsetw` and `Microsoft.O365.Security.Native.ETW` only support x64 and ARM64. No effort has been made to support x86.
* `krabsetw` and `Microsoft.O365.Security.Native.ETW` are only supported on Windows 7 or Windows 2008R2 machines and above.
* Throwing exceptions in the event handler callback or krabsetw or Microsoft.O365.Security.Native.ETW will cause the trace to stop processing events.
* The call to "start" on the trace object is blocking so thread management may be necessary.
* The Visual Studio solution is krabs\krabs.sln.
* When building a native code binary using the `krabsetw` package, please refer to the [compilation readme](krabs/README.md) for notes about the `TYPEASSERT` and `NDEBUG` compilation flags.
NuGet Packages
==============
NuGet packages are available both for the krabsetw C++ headers and the Microsoft.O365.Security.Native.ETW .NET library:
* https://www.nuget.org/packages/Microsoft.O365.Security.Native.ETW/
* https://www.nuget.org/packages/Microsoft.O365.Security.Native.ETW.Debug/ (for development - provides type asserts)
* https://www.nuget.org/packages/Microsoft.O365.Security.Krabsetw/
For verifying the .NET binaries, you can use the following command:
`sn -T Microsoft.O365.Security.Native.ETW.dll`
The expected output is:
```
Microsoft (R) .NET Framework Strong Name Utility Version 4.0.30319.0
Copyright (c) Microsoft Corporation. All rights reserved.
Public key token is 31bf3856ad364e35
```
Community & Contact
==============
Please feel free to file issues through GitHub for bugs and feature requests and we'll respond to them as quickly as we're able.